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Method to G nerate, Verify and Deny an Undeniable Signatur 
Field of the invention 

5 This invention concerns the field of electronic signatures, in particular the concept of 
undeniable signature. By undeniable signature, it is meant signatures which are non-self- 
authenticating, i.e. where signatures can only be verified with the signer's consent. However, 
if a signature is only verifiable with the aid of a signer, a dishonest signer may refuse to 
authenticate a genuine document. Undeniable signatures solve this problem by adding a new 
10 component called the denial protocol in addition to the normal components of signature and 
verification. 

Background art 

15 An undeniable signature is a cryptographic scheme similar to a classical digital signature 

except that the recipient of a message cannot verify its validity using only the public key of the 
signer: he needs also to interact with this one in order to be convinced of validity of the 
signature. This opposes to the so called universal verifiability of classical digital signatures 
where anybody knowing the signer's public key is able to verify the signature at any time. In 

20 some applications such as signing a contract it is desirable to keep the signer's privacy by 

limiting the ability to verify this signature. However, an undeniable signature does not abandon 
the non repudiation property. Indeed, in the case of a dispute the signer could be compelled by 
an authority to prove the invalidity of a signature, otherwise this would be considered as an 
attempt of denying a valid signature. As a side benefit, undeniable signature could in principle 

25 be arbitrarily small e.g. as small as a MAC, although no such signatures were proposed so far. 
An undeniable signature scheme is composed of a signature generation algorithm, a 
confirmation protocol to prove the validity of a signature and a denial protocol in order to prove 
the invalidity of an alleged non signature. These two protocols often consist of an interactive 
proof. 

30 Since the invention of the first undeniable signature scheme proposed by D. Chaum [see EP 0 
318 097], a certain amount of work has been dedicated to its development and different 
improvements. Until the proposition of an undeniable signature scheme based on RSA by 
Gennaro et al. [US 6,292,897], all the other undeniable signatures were based on the discrete 
logarithm problem. More recently, two undeniable signatures based on different problems 

35 have been proposed. The first one is based on pairings [B. Libert & J-J Quisquater "Identity 



2 



based undeniable signatures" Cryptology ePrint Archive, Report 2003/206, 2003] and the 
second one is based on a quadratic field [see EP 1 185 025]. 

Aim of the invention 

5 

The aim of the invention is to propose an undeniable signature which has a size smaller than 
the currently available undeniable signatures, i.e. less than 80 bits. The size could be an issue 
in several applications such as bank payments, in which the card holder wish to keep a trace 
of each transaction in the card. 

10 This aim is achieved by the method as claimed in the claim 1 . 

In the present application, we provide a new computational problem called Group 
Homomorphism Interpolation Problem (GHIP) whose solution consists in finding some images 
of some given points under an homomorphism already interpolated by some given points. We 
then explain some links of GHIP with some known problems in cryptography. 

15 

Detailed description of the invention 

Problem Definitions : Given two Abelian groups G and H, we say that a set of points {(x^) 

(x s ,y s )} ^GxH interpolates in a group homomorphism if there exists a group homomorphism f 
: G -> H such that f(Xj) = y, for i = 1 .... , s. We say that a set of points B <^GxH interpolates in 
20 a group homomorphism with another set of points Ac GxH if A ^ B interpolates in a group 
homomorphism. We state here the Group Homomorphism Interpolation problem (GHI 
problem) and its decisional problem (GHID problem). 

GHI Problem (Group Homomorphism Interpolation Problem) 
25 Parameters: two Abelian groups G and H, a set of s points Ac GxH. 
Input: Xl... ,x t e G. 

Problem: find yi,...,y t e H such that {(x lf y 1 ) i ...,(x tl y t )} interpolates with A in a group 
homomorphism. 

30 GHID Problem (Group Homomorphism Interpolation Decisional Problem) Parameters: two 
Abelian groups G and H, a set of s points A <^GxH. Input: a set of t points Be GxH. 
Problem: does B interpolate with A in a group homomorphism? 
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We first notice that when the x-coordinates of points in A generate G then there is at most one 
solution. A more complete result on the uniqueness notion is exposed below. 

5 Theorem 1 . Let G, H be two finite Abelian groups. We denote d and A the order and exponent 
of H respectively. Let x lf ... , x s e G which span G'. The following properties are equivalent. In 
this case, we say that x 1f ... x s H -generate G. 

1 . For all y, y s e H, there exists at most one group homomorphism f : G -> H such that 

10 f(Xj) = yjfor all i = 1 f ... s. 

2. There exists a unique group homomorphism <p: G -> H such that <f> (xi) = 0 for i = 1, . . . , s, 
namely <p = 0. 

3. The set Hom(G/G'H) of all group homomorphisms from GIG' to H is restricted to {0}. 

4. gcd(#(G/G'), d) = 1. 
15 5. G , + dG = G. 

6. G' + AG = G. 

7. x, mod c/G,... ,x s mod dG span GldG. 

8. x, mod AG,... ,x s mod^G span Gl AG. 

20 In what follows we first wonder if x 1r .. , x s H-generate G. If yes we second wonder if the set of 
y) points is accepted by GHID Problem as input with (G, H) as parameters, i.e. that it 
interpolates in a group homomorphism. Note that this homomorphism is necessarily unique. If 
yes we finally consider GHI and GHID Problems with A = {(Xj, y)\ i = 1 , . . . , s}. 



25 Links with Well Known Problems 



Example 1 . We take a cyclic group G of order q, H = Z q , and a generator g of G. The set A = 
{(3. 1)} interpolates in a group homomorphism. Finally we notice that the GHI Problem is 
exactly the discrete logarithm problem. 

Example 2. We take a cyclic group G = H, and a generator g of G. For any a e Z, A = {(g, ag)} 
interpolates in a group homomorphism which is the exponentiation to the power a. Finally, we 
notice that GHI and GHID Problems with t = 1 are exactly the Diffie-Hellman problem and the 
decisional Diffie-Hellman problem respectively. 
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Example 3. Let n = p x q such that p, q are different odd primes and H = {-1 , +1}. We let 
x 1f x 2 e Z£ be such that x n is a quadratic residue modulo p and not modulo q t and that x 2 is a 
quadratic residue modulo q, and not modulo p. We notice thatvA = {(x 1t 1), (x 2 , -1} interpolates 

5 in a unique group homomorphism which is (— ). Since it is easy to compute (— ), the GHI and 

P n 

GHID problems are equivalent to distinguishing quadratic residues modulo n from non 

quadratic residues. 

Example 4. Here, we consider the well known RSA cryptosystem. Let n = pq be an RSA 
10 modulus and G = H = Let f : -> 2£ be defined by f(x) = x e mod n for an exponent e such 
that gcd(e, <p (n)) = 1. Set d = e" 1 mod <p (n). Given s pairs (^fmod n,Xi)eZ[xZ[ for i = 1,... s 

such that the first coordinates 2^-generate z£, the RSA decryption problem of a challenged 
ciphertext is exactly the GHI problem with the parameter t = 1 . 

15 Example 5. Given d e {2, 3, 4} and given an integer n such that d divides <p (n), we let G = 2£ 
and H = Z d . 

Example 6. We show here how we can apply the GHI problem to the Bilinear Diffie-Hellman 
Problem (BDHP) on which the identity based cryptosystem of Boneh and Franklin is based. 
20 Let e : Gi x G^-> G 2 be a bilinear, non-degenerate and computable mapping, where G, and G 2 
are cyclic groups of order of a large prime p. Let P be a generator of G 1f we can state the 
BDHP as follows: given three random elements aP, bP and cP e G 1t compute e(P f P) abc . 
BDHP is equivalent to GHIP with the following parameters: A = {(P, e(aP, bP))} and x t := cP. 

25 Example 7. Let n = p x q such that p = rd + 1 and q are prime, gcd(r, d) = 1 , gcd(g - 1 , d) = 1 , 

with d smooth. We take G = 2£ and H = Z d . We can easily compute a group homomorphism by 

first raising to the power r{q - 1 ) then computing a discrete logarithm using the Pohlig-Hellman 
algorithm. 
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Example 8. Let consider the Paillier encryption function that maps an element (x, y) e Z n x 2£ 



5 

to the element g x . y" mod n 2 of Z£ 2 where g is an element of 2£ 2 whose order is a multiple of 
n. For a such g, the Paillier encryption function is an isomorphism. Thus, assuming we have s 
pairs of plaintextsjciphertexts that generate Z n x Z£ resp. Z^ 2 , the decryption problem of a 
challenged ciphertext corresponds to the GHI problem with t = 1 , G = Z£ 2 and H = Z n x 2£. 

5 This application of GHIP to the decryption problem can be adapted to every homomorphic 
encryption scheme. 

Note that Examples 3,4,5,6,7,8 include trapdoors in order to interpolate the group 
homomorphism. 

10 

Proof Protocol 

Let G, H of order d, A = {{g u e^,..., (g s , e s )} be parameters of a GHI problem. We assume that 
we have a prover who knows an interpolating group homomorphism f: G^ Hand wants to 
15 convince a verifier in an interactive proof. Let k be an integer. He performs the following 
interaction with a verifier. 

GHIproof k (>4) 

Parameters: G, H, d 
20 Input: k f A = {( g 1f e,) t ... , (g s . e s )} c G x H 

1: The verifier picks r t e G and a* e Z d at random for / = 1 k and j = 1,..., s. He computes u t = 

dn + a lA g, + ... + a jiS g s for /= 1,... , k. He sends i/ 1? ... f u k to the prover. 

2: The prover computes v, = /(ui). He sends a commitment <v,> to v u . . . , v k to the verifier. 

3: The verifier sends all r-s and a^'s to the prover. 
25 4: The prover checks that the u{s computations are correct. He then opens his commitment. 

5: The verifier checks that v x = a^e, + ... + a j|S e s s for / = 1 , k. 

A commitment scheme can be applied here, e.g. Halevi-Micali commitment scheme. 

30 Theorem 2. Assuming that g u g s H -generate an Abelian group G, let d be an integer and 

e i e% e W, where /7 is an Abelian group of order d. We consider the GHIproof k (/\) protocol 

with A = {(g u eJ (g s , e s )}. 
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i. Assuming that the prover and the verifier are honest, the protocol always succeeds. 

ii. Assuming that the commitment scheme is zero-knowledge, the above protocol is zero- 
knowledge against any verifier. 

Hi. For any 0 > 0, assuming that the protocol succeeds with probability greater than J_ (1 + 

P k 

5 & ) (where p is the smallest prime factor of d), with a honest verifier, for any e > 0 there exists 

an extractor with a time complexity factor 0(logl ) which can compute an interpolating group 

e 

homomorphism from the prover with probability at least 1 - e. 

Proof (sketch). Property i is quite clear. Property ii is proven by constructing a simulator for the 
10 transcript of the protocol without the secret of the prover. For this we need to extract a function 
f out of the prover. We realize that the Verifier information in Step 3 reveals no useful 
information to the prover because he had to commit to the information he reveals in Step 4. 
This means that the Prover must be able to compute it even without the information from the 
Receiver particularly if the commitment is statistically binding. Hence the prover must be able 
1 5 to compute this function f. 

Theorem 3. Assuming that x, x,H -generate an Abelian group G, H is an Abelian group 

of order d and y, y s e H such that A = {(x^y,),..., (x s ,y s )) interpolates in a group homomor- 
phism between G and Z d . For B = {(x s+1 , y s+1 ) (x s+t , y s+t )} we consider the GHIproof k (Au B) 

20 protocol. 

i. Assuming that the prover and the verifier are honest, the protocol always succeeds. 

ii. Assuming that the commitment scheme is statistically hiding, the above protocol is 
statistically zero-knowledge against any verifier. 

25 iii. Assuming that the protocol succeeds with probability greater than J_ (where p is the 

P k 

smallest prime factor of d) with a honest verifier, then B interpolates with A in a group 
homomorphism. 

Signature scheme 

30 



We now describe our undeniable signature scheme. 

Public parameters. We let integers k, k\ 2 t s, t be security parameters and "group types" for G 
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and H. 

Primitives. We use two deterministic random generators Gen! and Gen 2 and a commitment 
scheme. 

To generate the public and secret key, a particular optional procedure should be used to 
5 ensure that the keys comply with the following mechanisms : 

1 . The signer selects Abelian groups G and H of given type together with a group 
homomorphism f : G -» H. He computes the order d of H. He submits his identity J 
together with G, H and d to the identity authority. 

2. The authority first checks that G and H are of the required type and that d is correct, 
10 then picks a random number p that is sent to the signer. 

3. The signer computes the s first values (g 1f ... , g s ) from Gen^) and e { := f(gj), / =1,... s. 
He sends (e 1f ... , e s ) to the authority. We set A Q := {( g n , e,),..., (g s> e s )}. Then the signer 
interacts in a GHIproof kl (/\ g ) protocol with the authority in order to prove the validity of the 
ej's. 

15 4. Finally, the authority computes a signature C for (J, G, H, d, p t (e 1f ... , e s )). 

The signer should be limited to a few registration attempts to the authority. 
Public Key. K p = ( G, H, d, p, (e 1f ... , e s ), with an optional /, C. 
Secret Key. K s = f. 

Signature generation. A message m is first used in order to generate x 1f . . . , x t from Gen 2 

20 (m). The signer computes y { = f(Xj) fory = 1 L The signature is (y 1t ... , y t ). 

In other words, this method comprises the following steps: 

- transforming (see Gen 2 ) the set of data (m) to a sequence of a predetermined number (t) of 
blocks (xi, ... , x,), these blocks being members of an Abelian group, this transformation being 
a one way function, 

25 - applying to each block (xO a group homomorphism (f) to obtain a resulting value (y t ), in which 
the number of elements of the initial group (G) is larger than the number of elements (d) of the 
destination group (H). 

The fact that the number of elements of the destination group (H) is smaller than the initial 
group (G) entails that the representation of all elements of the initial group need a larger 
30 numeric value than the representation of the destination group. 

Taking the example 7 : the initial group is Z£ where n = pxq,p and q are two prime number of 
512 bits. These numbers, have a sufficient size to avoid a retrieval through a factorization of n. 
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The size of the initial group will be about 2 1024 . 

According to the example 7, we have selected 2 20 +7 as the number of destination elements 
which is preferably a prime number. The known confirmation and denial protocols were not 
able to challenge a signature when the number of elements in the initial and destination 
5 groups is not the same. 

Confirmation Protocol. Compute g 1f . . . ,g s from the public key, x^, . . . , x t from the message 
m, run GHIproof k ( {( g u e t )\ i = 1 . . . . , s} u {( x j( yfcj = 1 t}). 

10 In other words, the confirmation protocol of the undeniable signature (yi, ... y t ) generated 
above, this signature being confirmed by a Verifier an undeniable signature (y 1f y t ) of a 
message (m) generated by a Signer taking into account a predefined security parameter (k) of 
the confirmation protocol, this Signer having a public/secret key pair, this method comprising 
the following steps: 

15 - obtaining a personal value (p) of the Signer , this personal value being part of the public key 
(G, H, d, p, (e,, ... e s )) of the Signer, 

- extracting a first sequence of elements [e u . e s ) from the public key, 

- generating (see Gen,) a second sequence of elements ( ... g s ) from the personal value 
(Pi 

20 - generating a third sequence of elements (x A x t ) from the message (m), 

the proof protocol GHIproof k execute the following steps: 

- randomly picking challenge parameters r, e G and ay e Z d for i = 1 t ... , k and j = 1, s+t 
(the number of input elements is now extended to s+t) and computing a challenge value Uj = 
dn + ang! + ... a is g s + a^yi + ... + a is+t yt , 

25 - sending by the Verifier the challenge value Ujto the Signer, 

- computing by the Signer the response value Vj = f(Uj), 

- calculating by the Signer a commitment value (<Vj>) of the response value (vi) and sending it 
to the Verifier, 

- sending by the Verifier the challenge parameters n and a^ to the Signer, 

30 -verifying by the Signer whether u l = dr i + a M g 1 + ... a*^ + a^y, + ... + a is+t y t . and in the 
positive event, the Signer opens the commitment on the response value (Vj), 

- verifying by the Verifier whether Vj = a n e^ + ... a js e s + a^y, + ... + a^yt. 
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Denial Protocol. Let m be a message and (z u ... , z t ) be an alleged non-signature. The prover 

and the signer compute g s from the public key and x 1f . . . , x t from the message. The 

signer computes the real signature (y 1f ... , y t ). We repeat^ times the following protocol. 

1 . The verifier picks /j e G, &„ e Z d for / = 1 s j=1 t, and a A e Z p where p is the smallest 

5 prime dividing d. He computes := cfrj + + Aq and wj := J^L, + /*Zj for y = 1 .... f. Set 

u := (u 1f ... , u x ) and w := (w n ,... , vv t ). He sends u and w to the prover. 

2. The prover computes v ] := f(u y ) fory = 1 f ... t Since w) - 1/] = (2j -yj) ? he should be able to find 
A if the alleged non-signature is really invalid and the verifier is honest. Otherwise, he sets A to 
a random value. He then sends a commitment to A to the verifier. 

10 3. The verifier sends all r/s and a/s to the prover. 

4. The prover checks that all r/s and a/s were generated correctly. He then opens the com- 
mitment to A . 

5. The verifier checks that the prover could find the right A . Otherwise, we stop the protocol 
and the invalidity of the signature remains undetermined. 

1 5 In other words, this method consist to deny to a Verifier by a Signer an alleged non-signature 
(z 1f z t ) of a message (m) , this signature being intended generated according to the claims 
1 to ... by the Signer, this Signer having a public/secret key pair, this method taking into 
account a predefined security parameter (fy of the denial protocol and comprising the following 
steps: 

20 - obtaining by the Verifier a personal value (p) of the Signer, this personal value being part of 
the public key (G, H, d, p, (e 1t ... e s )) of the Signer, 

-extracting by the Verifier a first sequence of elements (e 1f ... e s )from the public key, 

- generating by the Verifier and the Signer a second sequence of elements (g lf ... g s ) from the 
personal value (p), 

25 - generating by the Verifier and the Signer a third sequence of elements (x 1f x,) from the 
message (m), 

- calculating by the Signer the true signature (y 1 y t ), 

- repeating the following steps ^times, £ being the predetermined security parameter, 

- randomly picking by the Verifier challenge parameters rj e G and % G Z d for / = 1 , ... , s and ; 
30 = 1, t and AC Z p where p is the smallest prime dividing d, 

- computing u t := drj + a^g, + ... a js g s + A xh and Wj := + ... a js e s + A^ for j = 1 .. f, 
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- sending by the Verifier the challenge values Uj and wj to the Signer, 

- computing by the Signer a response test value TV] := (z r yj). 

- for each j = 1 to t, determining whether the test value TV] =0, 

- in the negative event, calculating a test parameter /I, according to the following formula : w r 
5 Vj, = A l (zj-yj) 

- determining an intermediate value IV, this value being equal to one valid test parameter A 
and in case of no valid test parameter is found, selecting as intermediate value a random 
value, 

- sending a commitment value CT based on the intermediate value IV, to the Verifier 

10 - sending by the Verifier the challenge parameters rj , a^ and a test parameter A to the Signer, 

- verifying by the Signer whether t/j = drj + a^g-, + ... a js g s + Ax it and wj := a^ + ... a js e s + /tzj 
for / = 1 .. t hold, in the positive event, the Signer opens the commitment on the intermediate 
value (IV) to the Verifier, 

- verifying by the Verifier that the test parameter A is equal to the intermediate value IV. 

15 

This denial protocol is inspired from Gennaro et al. [US 6,292,897]. Furthermore, their 
undeniable signature scheme that is based on RSA corresponds to a special case of our 
scheme, namely with G = H=Z£,s = f=1 and the classical RSA signing function as 
homomorphism f. An other example that is a special case of our scheme is the undeniable 
20 signature of D. Chaum [D. Chaum, Zero-Knowledge Undeniable Signatures, Advances in 

Cryptology - Eurocrypt '90, LNCS 473, pp] . He considered G = H = 2^ for a prime p and the 

homomorphism consisting in raising an element to the power of the private key. 
Our setting makes possible to have H substantially smaller than G. 

We notice that A was chosen such that it can be uniquely retrieved for every nonzero values 
25 of Z d that can be taken by the elements z, - y/s. Namely, this is done by the following result. 

Lemma 1 . Let H be an Abelian group of order d, a, b e H such that b * 0. Let A be in {1 .... p - 
1}, where p is the smallest prime dividing d. Then, if the equation a = Ab has a solution in A, 
then this one is unique. 

30 

Even if >4 is uniquely determined for a general d, it offers computational advantages to choose 
d as a prime. 

We propose here two variants of the key setup , where the signer can generate the public key 
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by itself. In the first variant, he simply picks a random value p in order to generate the s values 

(gi g s ) from Ge^ (p) and computes ej := f(g { ). His public key is (G, H, p , (ei,..., e s )). 

This variant requires a longer s such that the probability of generating some g{s that do not H- 
generate G is sufficiently low. 
5 In the second variant, the signer can drastically reduce the size of s. However, the signer has 
to be able to solve the following problem in G. For a given 566 and g lf . . . g s G G that H- 

generate G, find some elements r G G , a u .., a s G Zd such that 8 = dr + ajgj. He directly 

chooses some elements g 1t . . . g s G G that H -generate G and computes the corresponding 
ej's. The public key is (G, H, cf ,(g n , . . . g s ), (e^..., e s )). Furthermore, the signer has to convince 
10 an authority or a verifier that the gi's really /-/-generate G. This can be done as follows. 
Repeat m times: 

1 . The prover picks a 8, G G at random and sends a commitment to &i to the verifier. 

2. The verifier picks a 6 2 G G at random and sends 6 2 to the prover. 

3. The prover computes some coefficients r G G, as, . . . a s G Z d such that 5, + 5 2 = dr + 

He sends r, a u . . . a s to the verifier and opens the commitment to 5^ 

4. The verifier checks that 5! + 5 2 = dr + a^. really holds. 

Note in these variants the signer also have to run a GHIproof kl ((g 1f e^, ... , (g Sf e s )) protocol 
with a verifier (recipient) or an authority. The latter possibility is adequate in order to save 
20 some GHIproof run protocols but requires the use of a certificate. A similar remark holds for 
the above protocol (/-/-generation of G) as well. 

Security analysis 

25 Theorem 4 (Setup protocol). Let k', k, d, s, G, H, f t Gen 1f Gen 2 be as in the setup of the above 
undeniable signature, we have the following security results. 

i. Given a prime p, we let A p be the subgroup of G of all terms whose orders are powers of p. 
Given p there is a unique k p and a p1 < ... < a pkp sequence such that A 9 is isomorphic to Z p v 

30 ® Z P w The probability that g u . . . ,g s e u G H -generate G denoted as P Hge n satisfies 
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P Hge n > riO-^) • 
P*Pj P 



where P d is the set of all primes that are factors of gcd(#G, d). 

5 ii. Assuming that the Setup protocol succeeds with probability greater than ( J_ + G) k , for & 

P 

>0, then the prover knows the secret key. 

Theorem 5. Given k, k\ i t d, s, t, G, H y f, Gen-,, Gen 2 , commit as in the above undeniable 

signature scheme. Assuming that the public key is valid, we have the following security results. 
10 i. If the signer and the verifier are honest, the two protocols are complete: a valid signature will 
always be accepted by the confirmation protocol, and an invalid signature will always be 
rejected by the denial protocol. 

ii. The scheme resists against existential forgery attacks: provided that Gen 2 is a random 
oracle, if an attacker who has access to the signing oracle and that queries Q G times Gen 2 can 

1 5 later forge new signatures which are valid with probability q, then he can solve the GHI 
Problem on A = {( g u e A ),..., (g s , e s )} successfully with probability q and similar complexity. 

iii. The confirmation protocol is sound: if the signer is able to convince a verifier that a given 
signature is valid with probability q > p k , then the signature is valid. 

iv. The confirmation protocol is private: if a prover is able to convince a verifier that a given 

20 signature is valid with probability q > ( i_ + 0) k (where G is a constant), then we can extract 

P 

from him a group homomorphism which solves the GHI Problem with arbitrarily high success 
probability. 

v. The denial protocol is sound: if the signer is able to pass the protocol with probability q > p"', 

then the alleged signature must be invalid. 
25 vi. The confirmation protocol is zero-knowledge: for any verifier we can build a simulator for 
the protocol without the secret key. 

vii. The denial protocol is zero-knowledge: for any verifier we can build a simulator for the 
protocol without the secret key. 
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Proof (sketch). 
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i. The assertion / for the confirmation protocol follows from the completeness of GHIproof k . For 
the denial protocol, the assertion is proved by noticing that there is at least one index j such 
that Zj - yj * 0 and that the prover will find the right A . 
5 ii. First, we show that an attacker A having access to a signing oracle can be simulated by an 
attacker without this access. Indeed, when A calls the signing oracle on a message m, the 
signing oracle will first produce a sequence of t values x 1f ... ,x t eG and then computes y x := 
f(Xj) for /' = 1 t From the point of view of A , this is completely equivalent to dispose of a 
random source generating pairs of the form (x, f(x)) since Gen 2 is modelized as a random 
10 oracle. Assuming that the g{S generate G I dG % we see that this source can be simulated by 
picking some random r e G , a's Z d , computing x := dr + a,g^ + ... + a s g s and f(x) = + ... 
a s e s . We denote now x 1f ... x t , the challenged elements of the GHI problem. We use our 
atttacker A in order to compute the f(Xj)'s as follows. We simulate Gen 2 by computing i* := dr + 

*i + Ey=i a \&\ for some random re G, a q e Z d and / = 1 f. Such ufs are indistinguishable from 
15 some uniformly picked elements in G. By standard proofs we show that forged signatures are 
necessarily one of the Gen 2 queries, so we can deduce f(Xj) from the value f(Uj) for / = 1 .... t. 

iii. This directly comes from Theorem 3 property iii. 

iv. This directly comes from Theorem 2 property iii. 

v. A cheating prover willing deny a valid signature has to find the value of A at each round of 
20 the protocol. Since, f(uj) = w h the prover does not learn additional information with w l and has 

to find A from u } uniquely. Similar, as in the proof of property iii he cannot find the A since 
another distribution of the values u, with another A is indistinguishable from the first one. 
Assuming that the commitment scheme is perfectly binding the cheating prover cannot do 
better than answering a random A . 
25 vi. This comes from property ii in Theorem 3. 

vii. This is done as in the publication "R. Gennaro, T. Rabin and H. Krawczyk, RSA-Based 
Undeniable Signatures, Journal of Cryptology, 13, pp M . 

Various embodiments and discussions thereof 
30 Characters on ^ 

In this section, we introduce the notion of multiplicative characters and study in particular 
some special cases in more details. These multiplicative characters are particulars cases of 
group homomorphism in which the number of elements in the initial group is larger than the 
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destination group and therefore the construction of the claimed undeniable signature applies 
to these group multiplicative character. 

The cases of order 2, 3 and 4 will be exposed in the following subsections. 

Definition 1 . Let n be an integer. A character ^ on is a map from 2£ to C - {0} satisfying 



From this definition, we can quickly deduce that j (1) = 1 and that the value % (a) is always a 
( X (n)) th root of the unity for all a e 2^, where X (n) denotes the Carmichael function. We can 



operation) X1X2 of the two characters xi and X2 represents the map a -> xi( a ) z 2 (8) and the 
inverse % 1 maps each element a to x ( a ) 1 - 

Proposition. Letp be a prime and dan integer such that d|p- 1. 

1 . The group of characters defined on 2^ is a cyclic group of order p - 1 . 

2. The characters on 2£ of order dividing dform a cyclic subgroup of order d. 

The second part of this proposition is especially interesting for us because we will consider 
characters of small order (e.g. 2, 3, 4) defined on ^ for n large. 

We notice also that a character of order d maps the elements of 2^ to the set | 0 <j <d - 
1} where g d denotes the unit e 2nUd and i := ^/^T . 

We provide a way to define certain multiplicative characters on for a n being the product of 

two special primes. Since ^ is not cyclic, using the above definition to this case is not 

suitable. Moreover, it is more natural for our purposes to define such characters in the similar 
way the Jacobi symbol is defined from the Legendre symbol in the case of the quadratic 
residuosity (or character of order 2). First, assume we are given an integer d and two different 
primes p, q such that d | p -1 and d | q - 1 . From two characters xi and X2 of order d defined on 



x(ab) = x(a)x(t>)foralla,b eZj 



also define a group structure on the set of characters on % v In this group, the product (group 




, we define a character q of order d as follows: 



0(a) := Z^ (a mod p) . X2 (a mod q). 
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For each character x of order d we will sometimes associate a logarithm function denoted as 
log,. For an element a e 2£, we know that ^(a) is of the form g J d for a € {0,1,... d - 1}. We 
define log, (a) equal to this /. 

5 We present in the following subsections some complements that are specific to the cases d = 
2, 3, 4. For more details about the theory of this section such as proofs that are omitted, we 
refer to the book of Ireland and Rosen [K. Ireland and M. Rosen, "A Classical Introduction to 
Modem Number Theory: Second Edition", Graduate Texts in Mathematics 84, Springer, 
1990]. 

10 Characters or order 2 

Let p be an odd prime number. By this proposition, we know that there are only two 
characters of order 2, namely the trivial character € that maps every elements to 1 and the 
Legendre symbol. We recall that the Legendre symbol (a / p) for an integer a with (a, p) = 1 
is 1 if a is congruent to a square modulo p (quadratic residue) and -1 if it is not the case 
15 (quadratic non-residue). It turns out that there are as many quadratic residues as non 

quadratic residues in Zj, namely 

For an odd integer n, the Jacobi symbol (a / n) for an a e Z s.t. (a, n) = 1 is defined as (a / n) 
= (a / plf . (a / p2f ...(a/ pkf where the factorization into primes of n is . . . 

Some additional properties are given below. 
20 Proposition. Let p be an odd prime, a, beZ and an odd neZ. Then 
La*"* ^ a /p;(modp;. 

2. (ab / n) = (a / n)(b / n). 

3. If a =b (mod n), then (a / n) = (b / n). 

4. If a and b are odd. Then (a / b) (b / a) = (-1 J*- 1 * * (Law of Quadratic Reciprocity) 

p 2 -i 

25 5. C2/nj = (-1) s . 

Let consider a modulus n = pq. As we explained at the beginning of this section we define the 
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characters on Z£ by multiplying two characters defined on Z p and Z^. In this case this simply 
corresponds to the Jacobi symbol (a / n) or the Legendre symbols (a / p) or (a / q) and the 
trivial character. 

Note also that the properties given in this proposition are used in order to compute the Jacobi 
5 symbol in a time complexity of O (log(n) 2 ). 

Characters of order 3 

Here, we need to introduce a new ring called the ring of Eisenstein integers. Indeed, this ring 
is the natural structure to study the characters of order 3 or the cubic residuosity. 

In what follows, uj will always denote the complex number (-1 + V-3 )/2. We define the ring of 
10 the Eisenstein integers as the set Z[uj] := {a + buj \a, b e Z} with the classical operations 
(addition, multiplication) of C. We notice that uj is a non trivial cubic root of 1 and satisfies uj 2 
+ uj + 1 = 0. 

For an element a e Z[ut], we define the norm N{cr) = a a , where a denotes the complex 
conjugate of a. This is the classical (squared) norm induced by the complex plane. From the 
15 definition, we have 

N(a + boj) = (a - - f + 2*1 4 = a 2 - ab + b 2 . 
2 4 

It can be shown that Z[cu] is a unique factorization domain i.e. every elements can be 
decomposed in a product of irreducible elements uniquely up to a unit element. We can also 
call the irreducible elements the prime elements of Z[uj]. To avoid some confusion a prime of 
20 Z will be called a rational prime if the context is not clear. The units are the invertible elements 

and in this case all have a norm equal to zero. Hence, the units of Z[w] are ±1, ±uj, ±w 2 . All 
prime numbers of Z[uj] are classified below. 

Proposition. The following statements hold and the list of prime ofZ[<u]is exhaustive. 

1. Let p be a rational prime such that p =1 (mod 3). Then, there exists a prime n such that 
25 N(n) =7i tt = p. 

2. Ifqis a rational prime such that q =2 (mod 3), then q is also a prime in Z[w] . 

3. 1 - uj is prime and N(1- cu ) =3. 

The ideal generated by a single element a € Z[uj] is denoted by (o) and is equal to a • Z[uj]. 
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Pr p siti n. Let n be a prime in Z[w]. Then Z[cu]l(n) is a finite field with N(n) elements. 

We can also prove that the set {a+bw \Q<a,b<q} resp. {0, 1, 2...,p— 1} form all 
representatives of the residue class field in the case where q =2 (mod 3) resp. p =1 (mod 3). 
We can also prove that for a prime n s. t. N(n) * 3 and a e Z [aj] s. t. a * 0 (mod ti), we 
5 have a N( ^ ) " 1 =w (mod n) for an i e {0, 1, 2}. This result w i is called the cubic residue 

character of a modulo tz and is denoted as {a In) or as % n (a ). If a =0 (mod n) t we set ^ n 
fa) = 0. 

Let a and /? be in Z [u>]. Suppose the prime factorization of fi is u JJ* 7i*' where A/^ti^ * 
3 for all 1 < i < k and w is a unit. Then the Jacobi-like symbol (a/p) 3 is defined as 
10 IX = i ( a /71 ') ? • ln or der to formulate the law of cubic reciprocity, we have to introduce the 
concept of primary. We say that an element a of Z M is primary iff or =-1 (mod 3). Note 

that the term "primary" does not only apply to prime number. Every elements possess exactly 
one associate that is primary. (An associate of an element a is an element that is of the form 
ua for a unit u.) 

15 Proposition. Let n be a prime s. t N(n)*3 and a , p , y e Z [or]. 
Lef a = 3(A + B a;J - 1 be a primary with A, BeZ . 

1 . (a /7i) 3 = 1 //Fx 3 (mod n) is solvable, i.e., iff a is a cubic residue. 

2. (a plYh = (*lYUPlYh 

3. a =p (mod y) => (<*/p) 3 = (p/yh- 

20 4. (7_aiv of Cub/c Reciprocity) If a and P are primary. Then (a I p ) 3 = ( p la ) 3 . 

5. (oj/a) 3 = uj A + B . 

6. (1 •aj/a) 2 ^uJ 2A . 

We are now in the position to define the characters of order 3 on 2£ for a rational prime p and 
their extensions on a composite modulus that is a Jacobi like symbol. We consider only the 
25 case where p =1 (mod 3), since the characters are not trivial in this case. Set p = n7r . Recall 
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first that the field Z [cjj]/ (k) can be represented by 2£ since the set {0, 1.. .p-1} contains all 
representatives and the multiplications are equivalent in the two cases. Thus, the cubic 
residue characters % n is completely defined on 2£. We directly deduce that £ is another non 
trivial character of order 3 and is even equal to x* on the rational integers. Let p, q be two 
different rational primes such that p =q ^ (mod 3) and ti, a e Z[cu] such that N(n) = p and 
N(a) = q. Let n = pq, the character on produced by x n and X a is denoted by x «o and is 
defined as x „ (a) = Xtt (a) . Za ( Q )- The other characters are defined exactly in the same 
multiplicative way. There are 8 non trivial characters of order 3 defined on Z£, namely 

Xn » Xx » Xa » Xa ■ #jf<r » Xna ^nd . 

Here, we explain how to find these characters and how they can be computed. The first 
statement consists of finding a prime n e Z[cu] such that N(n) = p =1 mod 3 for a rational 
prime p. We assume here some knowledge on the algorithms of Tonelli and Cornacchia. 
For a given p, we have to find an element a+bvu e Z[uj] such that a 2 -ab+b 2 = p. This is 
equivalent to (a -L f + l^L = p. By introducing the two new variables s = a - L and t = ^ 

2 4 2 2* 

we obtain s 2 + 3? = p for s,feZ. Now, it suffices to apply the algorithm of Cornacchia to solve 
this equation in s and t This algorithm consists of finding anxeZ such that x 2 =-3 (mod p) 
(apply algorithm of Tonelli) and then applying the Euclid algorithm to x and p until we get the 
first rest term r n such that rf< p. A solution is given by setting s = r n . 

Suppose we have a character Xa where a can be for example no or . The computation 

of a residue character (o I a h can be done using a similar technique to the computation of 
the Jacobi symbol in the context of quadratic residuosity. 

Indeed, this consists of reducing a mod a by an Euclidean division in Z[cu] and then applying 

the cubic reciprocity law to exchange the two elements of the character. This last step can be 

done only after having extracted some units in order that a and a become primary. Then by 

iterating this operation, we reduce the size of the elements involved in the cubic residue 
character until this one becomes trivial. Note that the asymptotic complexity of the 
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computation is O (log(n) 3 ) using standard arithmetic and O (log(n) 2 )0 log(n) log log log(n)) 
using fast arithmetic. This is almost the same magnitude of complexity than the classical 
Jacobi symbol that is 0(log(n) 2 ). For more details about this algorithm and its complexity we 
refer to the article of R. Scheidler [R. Scheidler, "A Public-Key Cryptosystem Using Purely 
5 Cubic Fields", Journal of Cryptology, 11, pp. 109-124, Springer, 1998]. 

Characters of order 4 

Studying the characters of order 4 consists principally of the theory of bi-quadratic residuosity. 
This one is quite similar to that of cubic residuosity and is done in the ring of Gaussian 

integers Z [i]. A rational prime p of the form p =1 (mod 4) is the norm of a prime n in Z [i]. The 
10 field Z [i]/(7t) has the set of representatives {0, 1 ... p - 1} and is identical to Z p . The 
biquadratic residue character of an a e Z [i] is defined as % n (a ) := i J where j e {0, 1 ,2, 3} and 
such that a N ^~ ])/4 = f (mod 7r). Moreover, this character generates the two other nontrivial 
characters of order 4. Note also that the square of % n is equal to the quadratic residue 
character ^ p We can also define a Jacobi-like symbol in this context similarly to that in the 

15 theory of characters of order 3. Moreover, there is also a law of reciprocity in a similarly way 
as before. 

Characters of higher orders 

It is probably possible to extend our character constructions to some orders greater than 4. 
Indeed, there is a way to generalize the residuosity to higher orders by introducing a power 

20 residue symbol defined on the integers of a cyclotomic field. A general treatment of these 
cases would be beyond the scope of this paper. Moreover, the computation seems to be more 
difficult to deal with and the ring of these integers becomes a non unique factorization domain 
when the order is large. Since such a ring is not a principal ideal domain, we should work with 
ideals that are generated by more than one element. However, we do not loose the existence 

25 of the reciprocity laws, namely there exists a so called Kummer's reciprocity law on some 
integral ideals of a cyclotomic field (see F. Lemmermeyer, Reciprocity Laws, Monographs in 
Mathematics, Springer, 2000). 

Application on undeniable signature 

The above described group homomorphism of the undeniable signature scheme is in the 
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context of characters to hard characters, which means a nontrivial character and for d = 2 we 

also exclude the Jacobi symbol (— ) . 

n 

In a alternative embodiment in the key generation, we have the possibility to avoid the costly 
generation of primes in the generation of the hard characters (secret key). For d = 3 or 4 we 

5 can also directly generate n = nx from a random n G Z [0] and the hard character is x = 

(./k^. Note that in this case the factorization of n is unknown. In this case, the initial group G 
will be Z^. 

Batch Verification 

10 

We point out that our scheme allows a batch verification of signatures. Indeed, the 
confirmation protocol can be easily adapted in order to confirm several signatures at the same 
time. To this end, the verifier simply computes the x*s of all messages with Gen 2 and continue 
the protocol as if the Xj's were issued from one signed message. 

15 

We have exposed an undeniable signature based on a new problem that is quite general and 
we have also proved the security of our new scheme. The principal advantage is the size of 
the signature that can be chosen arbitrarily short. From this general setting we have also 
proposed a practical example with a 3 bytes signature and a complexity cost which is similar to 
20 RSA. We hope that this example will be completed by some various additional settings since 
group homomorphism are common objects in cryptography. This is let as future work. It would 
be also interesting to give some different classes of homomorphism for which the Group 
Homomorphism Interpolation Problem is hard. 



